LeakerLocker ransomware threatens to dox Android users as extortion

Digital threat spotted in two apps on Google’s Play Store.

David bisson
David Bisson

LeakerLocker ransomware threatens to dox Android users as extortion

Mobile ransomware known as LeakerLocker threatens to dox Android users with whom it comes into contact as a means of extortion.

The threat, detected by McAfee’s research team as “Android/Ransom.LeakerLocker.A!Pkg”, concealed itself inside two applications previously available on Google’s official Play Store. The first program was “Booster & Cleaner Pro,” which boasted as many as 5,000 installs and an inflated rating of 4.5/5.0.

Upwards of 10,000 users downloaded the second application, known as “Wallpapers Blur HD.” They gave it an average rating of only 3.6/5.0. No doubt some users’ warnings about the application’s request to make calls, read and send SMS messages, and access contents brought that rating down.

Sign up to our free newsletter.
Security news, advice, and tips.
Wallpapers Blur HD. (Source: McAfee)
Wallpapers Blur HD. (Source: McAfee)

LeakerLocker doesn’t encrypt a user’s files like other Android-based ransomware. Upon successful installation, it locks the home screen and accesses private information in the background. A .dex file allows the threat to modify this behavior in an effort to avoid detection.

But this locker malware doesn’t do all that it says it does. McAfee’s Fernando Ruiz and ZePeng Chen elaborate on that point:

“Not all the private data that the malware claims to access is read or leaked. The ransomware can read a victim’s email address, random contacts, Chrome history, some text messages and calls, pick a picture from the camera, and read some device information…

“All this information is randomly chosen to display via JavaScript (in jpus.js) and convince the victims that lots of data has been copied. A WebView appears after the device is locked.”

20170706 leaker 1
LeakerLocker’s WebView. (Source: McAfee)

Users who believe the attackers actually possess all their information might decide to click the “PROCCEED” button. If they pay the US$50 successfully, LeakerLocker unlocks their device and displays the following message: “our [sic] personal data has been deleted from our servers and your privacy is secured.” And so the bluffers reap their profits.

To discourage this type of fraudulent behavior, it’s important that Android users protect against locker- and encryption-based mobile ransomware, not to mention fake apps that claim to protect them against such threats. They can do all this by downloading apps from only trusted developers on Google’s Play Store.

Android users should also back up their important mobile data on a regular basis and install an anti-virus solution onto their computers.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “LeakerLocker ransomware threatens to dox Android users as extortion”

  1. Stu Clayton

    What is the cash value, for users, of your sentence: "They can do all this by downloading apps from only trusted developers on Google's Play Store" ? This sounds like apposition, i.e. all developers on Play Store are to be trusted, and therefore all apps developed by them too. If that's not what you mean, you might consider that 1) ordinary people do not usually know any "developer", 2) much less one who has developed an app for Play Store.

  2. Stu Clayton

    I should mention that I have been a developer for 30 years, but not of "apps" of course. I have no clue as to what app to "trust", and it seems to me that trust in this connection is what people talk about when it's too late. You are giving people criteria that they can't understand or can't apply. Not even I understand what your advice amounts to. It might not be a bad thing to just fess up: you never know when you're going to get hit, even with stuff from Play Store, as in the present case.

  3. David L

    The comments above make valid points. Therefore, I recommend Sophos.com Android Security apps. They have the most comprehensive suit of features, and can interact with Firefox and Chrome browsers besides app scans that warn of apps with low reputation. They tested at 100% detection of malware samples with two independent labs, AV Test, and AV Comparatives. They have an app lock feature, scan SMS for phishing links, and much, much, more. Oh, one last thing, the Theft protection goes well beyond what native Android & Google provide.

    And it's ALL free, & ad free, which leaves it standing as one of the vary few that don't require subscriptions, to get rid of "ads" in a Security app !!! and get some extra features, like Avast, and many others.

    Malwarebytes also has a pretty good Android Security app, with just the basics, but works very well. It's also free & ad free too.Both of these suggestions are very easy on resources, as I've been using them for quite some time.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.